15 Quick Security Wins for Your Network

If protecting your organization from cyberattack is your responsibility, you probably have heard of the 20 baseline security controls that the Consensus Audit Guidelines (CAG) project defines and recommends.

Speaking at the Gartner Information Security Summit 2009 in London, SANS instructor Stephen Armstrong outlined 15 "quick wins" based on these controls: simple steps you can take to make an immediate difference to your security.

Here are the 20 controls, and Armstrong's quick wins and other advice:

3. Secure Configurations For Hardware and Software on Laptops, Workstations, and Servers

Quick win: Remove games, hyperterminals and "crapware" that comes bundled with many end user machines, and unnecessary software on servers. If you need six applications on a machine, then there should be six, not twenty. Ideally, deploy standardized images, and document whenever a non standardized image is used for any reason.

4. Secure Configurations For Network Devices Such as Firewalls, Routers, and Switches

Quick win: Implement ingress and egress filtering, allowing only those ports and services with a documented business need. Configurations should be documented and checked to ensure they are secure.

5. Boundary Defense

Quick win: Deploy whitelists and blacklists, and an IDS system, and configure outbound controls. If you have no egress monitoring, you are leaving yourself vulnerable.

6. Maintenance, Monitoring, and Analysis of Security Audit Logs

Quick win: Logs are created for a reason. Make sure they are monitored so you can see what is going on on your network and spot any anomalies or unusual behavior.

7. Application Software Security

Quick win: Use Web application firewalls and application layer security to protect your applications from SQL injections, cross site scripting and other attacks.

8. Controlled Use of Administrative Privileges

Quick win: Some IT staff need admin privileges, but not for reading email. Ensure they have different accounts and passwords for admin and non-admin activities. It's also important to ensure that all devices have usernames and passwords changed from their defaults.

9. Controlled Access Based on Need to Know

Quick win: Make sure you know which data needs protecting, where it is, and who need s access to it, and ensuring controls are in place to restrict access to authorized users.

10. Continuous Vulnerability Assessment and Remediation

Quick win: One way to do this is to use a vulnerability scanner like Nessus. It needs to be updated and run often, because a mild vulnerability one day can become a critical vulnerability the next.

11. Account Monitoring and Control

Quick win: Disable any accounts that can't be associated with current staff or contractors, and create a procedure for disabling accounts when users leave. It's also useful to generate regular reports on accounts that are not used regularly and attempts to access disabled accounts

12. Malware Defenses

Quick win: Ensuring anti-malware software is running on all systems is important, but make sure you have a system in place so that every system is updated regularly. Another quick win measure you can take is disabling autorun for removable storage devices.

13. Limitation and Control of Network Ports, Protocols, and Services

Quick win: Make sure your routers can only be accessed internally, and that firewalls or filters drop all traffic except for services and ports that are explicitly allowed.

14. Wireless Device Control

Quick win: Scan for rogue access points on your network regularly. Using centrally managed enterprise-class devices with an authorized configuration and security profile is also important.

15. Data Loss Prevention

Hit the next page for five more pieces of advice that may not be quick wins, but are worth your consideration.

The following advice doesn't fall into the category of "quick wins," but is worth considering:

1. Secure Network Engineering

Advice: If you are starting from scratch, make sure your network is secure by design. This implies looking for single points of failure, and building in "choke points" you can monitor.

2. Penetration Tests and Red Team Exercises

Advice: Carry these out regularly, from inside and outside the network perimeter. Use your own staff, automated tools, and outside consultants as well. Remember, a penetration test that finds no vulnerabilities tells you nothing.

3. Incident Response Capability

Advice: Make written preparations in advance so you can react quickly and efficiently during an incident, instead of going in to panic mode and risking making the wrong decisions and making things worse.

4. Data Recovery Capability

Advice: Make sure backups are performed regularly and are stored offline and offsite. Backups should include applications and operating systems as well as data.

5. Security Skills Assessment and Appropriate Training to Fill Gaps

Advice: Just half an hour of training per year explaining how to choose a secure password and why, or why clicking on email attachments from unknown sources is a bad idea, can pay huge security dividends.